0

I was playing around with setuid perl for command execution (insecure).

I learned from another question, that env - /usr/bin/perl -e 'system("...")' doesn't reset the EUID to RUID, like it's the case for modern implementations of /bin/sh.

However, I cannot execute multiple commands, separated by && or ;, using the above command without perl resetting the EUID?

kube@ctf4-deploy1-65d9686c54-7x2zh:~$ ls -la /usr/bin/perl
-rwsr-xr-x 1 root root 3197768 Mar 31  2019 /usr/bin/perl
kube@ctf4-deploy1-65d9686c54-7x2zh:~$ env - /usr/bin/perl -e 'system("id")'
uid=1000(kube) gid=1000(kube) euid=0(root) groups=1000(kube)
kube@ctf4-deploy1-65d9686c54-7x2zh:~$ env - /usr/bin/perl -e 'system("id && id")'
uid=1000(kube) gid=1000(kube) groups=1000(kube)
uid=1000(kube) gid=1000(kube) groups=1000(kube)
Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Shuzheng
  • 4,023
  • 1
  • 31
  • 71
  • That was explained in the answer you accepted... – Stephen Kitt Mar 26 '20 at 13:30
  • “This is different in perl: perl's `system`, `exec`, `open "|-"`, `open2`, `open3`, etc will run the command directly if they're called with multiple arguments or if the command does not contain shell metacharacters” – Stephen Kitt Mar 26 '20 at 13:55
  • @StephenKitt - so, it's the meta-characters `&` and `;` that make `perl` drop privileges, since it runs the command through the system's `/bin/sh` in case such characters are present? By "... command directly if they're called with multiple arguments ...", you mean the command is called with with multiple arguments or one of these Perl functions? – Shuzheng Mar 26 '20 at 15:01
  • They don’t make Perl drop privileges, they cause it to use the shell to run the commands, and the shell drops privileges. If you’re really interested in suid Perl you should look into `suidperl` and why it was dropped. – Stephen Kitt Mar 26 '20 at 15:02
  • See [the `system` documentation](https://perldoc.perl.org/functions/system.html) for details of how the arguments are processed. – Stephen Kitt Mar 26 '20 at 15:05

0 Answers0